Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Symantec’s ‘Honey Stick’ Experiment Shows What Happens to Lost Smartphones

What Happens to Lost Smartphones?

“Honey Stick Project” Exposes Risk from Lost Smartphones

In order to get a look at what happens when a smartphone containing sensitive corporate information is lost, Symantec loaded 50 phones with tracking software and fake “sensitive” information, and then scattered the devices across multiple cities in North America.

What Happens to Lost Smartphones?

“Honey Stick Project” Exposes Risk from Lost Smartphones

In order to get a look at what happens when a smartphone containing sensitive corporate information is lost, Symantec loaded 50 phones with tracking software and fake “sensitive” information, and then scattered the devices across multiple cities in North America.

The test, called the Honey Stick Project, was designed to see what really happens when a smartphone is lost and collected by someone other than the owner.

Once the mobile devices were loaded with the simulated personal and corporate data, Symantec dropped the 50 fully-charged smartphones in five different cities: New York City; Washington D.C.; Los Angeles; San Francisco; and Ottawa, Canada. The devices were intentionally “lost” in different types of locations including elevators, malls, food courts, public transit stops and other heavily trafficked, publicly accessible locations.

With the remote monitoring software installed, it wasn’t long before the phones started to move. Tracking showed that 96-percent of the devices were accessed once found, and 70-percent of them were accessed for personal and business related applications and information. Less than half of the people who located the intentionally lost devices attempted to locate the owner. Interestingly enough, only two phones were left unaccounted for, the others were all found.

It seems like it’s hard to trust your fellow man these days, and that was exactly the point Symantec was looking for.

Going further, of the devices located, 45-percent of them reported that there was an attempt to read corporate email, and the remote admin application was accessed 49-percent of the time. A file named “saved passwords” was also one of the top selections, with a 57-percent access rate. Access to social networking accounts and personal email were each attempted on over 60 percent of the devices.

Additionally, 66 percent of the devices showed attempts to click through the login or password reset screens (where a login page was presented with username and password fields that were pre-filled, suggesting that the account could be accessed by simply clicking on the “login” button) .

Advertisement. Scroll to continue reading.

In all, the average time spent accessing the “found” phones was just over 10 hours.

On Demand Webcast: Protecting Corporate Data in Mobile Apps

“The goal of this research is to show what smartphone users should expect to happen on their phones if they are lost and then found by a stranger. In today’s world, both consumers and corporations need to be concerned with protecting the sensitive information on mobile devices,” the report on the experiment explains.

“While devices can be replaced, the information stored and accessed on them is at risk unless users and businesses take precautions to protect it.”

While this type of public domain experiment is certainly interesting, Symantec reminds that projects like this are by no means perfect. “In particular, logging of the apps depends on the device having Internet access,” the summary notes. “Therefore, if a finder manipulates the device in a certain way, it is possible that no data will be recorded. This situation would result in an under-reporting of access frequency. Conversely, the most significant over-reporting error would be an individual who was aware of the intent of the study, and performed repeated accesses as a way to manipulate the results to be more significant than would normally happen.”

More information about the Honey Stick experiment is on Symantec’s blog. The full report (PDF) is available here.

On Demand Webcast: Protecting Corporate Data in Mobile Apps

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.